netdevsim netdevsim1: Direct firmware load for . failed with error -22 netdevsim netdevsim1: Falling back to sysfs fallback for: . ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x22/0x9c lib/list_debug.c:23 Read of size 8 at addr ffffffe00a9ba4c8 by task syz-executor.1/8265 CPU: 0 PID: 8265 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller-00011-g18a3c5f7abfd #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] walk_stackframe+0x0/0x23c arch/riscv/kernel/traps.c:202 [] dump_backtrace+0x40/0x4e arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x22/0x2e arch/riscv/kernel/stacktrace.c:118 [] __dump_stack lib/dump_stack.c:79 [inline] [] dump_stack+0x148/0x1d8 lib/dump_stack.c:120 [] print_address_description.constprop.0+0x52/0x31e mm/kasan/report.c:232 [] __kasan_report mm/kasan/report.c:399 [inline] [] kasan_report+0x16e/0x18c mm/kasan/report.c:416 [] check_region_inline mm/kasan/generic.c:180 [inline] [] __asan_load8+0x6e/0x80 mm/kasan/generic.c:253 [] __list_add_valid+0x22/0x9c lib/list_debug.c:23 [] __list_add include/linux/list.h:67 [inline] [] list_add include/linux/list.h:86 [inline] [] fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:516 [inline] [] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:581 [inline] [] firmware_fallback_sysfs+0x2fc/0x910 drivers/base/firmware_loader/fallback.c:657 [] _request_firmware+0x856/0xa4a drivers/base/firmware_loader/main.c:831 [] request_firmware+0x38/0x54 drivers/base/firmware_loader/main.c:875 [] devlink_compat_flash_update+0x162/0x2e2 net/core/devlink.c:10515 [] ethtool_flash_device+0xca/0xda net/ethtool/ioctl.c:2060 [] dev_ethtool+0x18e4/0x36d6 net/ethtool/ioctl.c:2744 [] dev_ioctl+0x3b2/0x6dc drivers/usb/gadget/legacy/inode.c:1114 [] sock_do_ioctl net/socket.c:1062 [inline] [] sock_ioctl+0x3d8/0x66c net/socket.c:1179 [] vfs_ioctl fs/ioctl.c:48 [inline] [] __do_sys_ioctl fs/ioctl.c:753 [inline] [] sys_ioctl+0x5c2/0xd56 fs/ioctl.c:739 [] ret_from_syscall+0x0/0x2 Allocated by task 8249: arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:145 stack_trace_save+0x4a/0x6a kernel/stacktrace.c:121 kasan_save_stack+0x26/0x5c mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] __kasan_kmalloc+0x64/0x7e mm/kasan/common.c:515 kasan_kmalloc include/linux/kasan.h:233 [inline] kmem_cache_alloc_trace+0x1a0/0x2bc mm/slub.c:2934 kmalloc include/linux/slab.h:554 [inline] kzalloc include/linux/slab.h:684 [inline] __allocate_fw_priv drivers/base/firmware_loader/main.c:186 [inline] alloc_lookup_fw_priv drivers/base/firmware_loader/main.c:250 [inline] _request_firmware_prepare drivers/base/firmware_loader/main.c:744 [inline] _request_firmware+0x236/0xa4a drivers/base/firmware_loader/main.c:806 request_firmware+0x38/0x54 drivers/base/firmware_loader/main.c:875 devlink_compat_flash_update+0x162/0x2e2 net/core/devlink.c:10515 ethtool_flash_device+0xca/0xda net/ethtool/ioctl.c:2060 dev_ethtool+0x18e4/0x36d6 net/ethtool/ioctl.c:2744 dev_ioctl+0x3b2/0x6dc drivers/usb/gadget/legacy/inode.c:1114 sock_do_ioctl net/socket.c:1062 [inline] sock_ioctl+0x3d8/0x66c net/socket.c:1179 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] sys_ioctl+0x5c2/0xd56 fs/ioctl.c:739 ret_from_syscall+0x0/0x2 Freed by task 8249: arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:145 stack_trace_save+0x4a/0x6a kernel/stacktrace.c:121 kasan_save_stack+0x26/0x5c mm/kasan/common.c:38 kasan_set_track+0x18/0x24 mm/kasan/common.c:46 kasan_set_free_info+0x1e/0x3a mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xb2/0xea mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x8e/0x18a mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kfree+0xd2/0x3d0 mm/slub.c:4213 __free_fw_priv drivers/base/firmware_loader/main.c:282 [inline] kref_put include/linux/kref.h:65 [inline] free_fw_priv drivers/base/firmware_loader/main.c:289 [inline] firmware_free_data drivers/base/firmware_loader/main.c:584 [inline] release_firmware.part.0+0x272/0x348 drivers/base/firmware_loader/main.c:1053 release_firmware drivers/base/firmware_loader/main.c:1051 [inline] _request_firmware+0x4d2/0xa4a drivers/base/firmware_loader/main.c:839 request_firmware+0x38/0x54 drivers/base/firmware_loader/main.c:875 devlink_compat_flash_update+0x162/0x2e2 net/core/devlink.c:10515 ethtool_flash_device+0xca/0xda net/ethtool/ioctl.c:2060 dev_ethtool+0x18e4/0x36d6 net/ethtool/ioctl.c:2744 dev_ioctl+0x3b2/0x6dc drivers/usb/gadget/legacy/inode.c:1114 sock_do_ioctl net/socket.c:1062 [inline] sock_ioctl+0x3d8/0x66c net/socket.c:1179 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] sys_ioctl+0x5c2/0xd56 fs/ioctl.c:739 ret_from_syscall+0x0/0x2 Last potentially related work creation: arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:145 stack_trace_save+0x4a/0x6a kernel/stacktrace.c:121 kasan_save_stack+0x26/0x5c mm/kasan/common.c:38 kasan_record_aux_stack+0xaa/0xe4 mm/kasan/generic.c:345 __call_rcu kernel/rcu/tree.c:3039 [inline] call_rcu+0x8c/0x4ac kernel/rcu/tree.c:3114 free_fib_info net/ipv4/fib_semantics.c:256 [inline] fib_create_info+0x149e/0x2aba net/ipv4/fib_semantics.c:1549 fib_table_insert+0x12c/0xe0c net/ipv4/fib_trie.c:1224 fib_magic+0x2e8/0x3d2 net/ipv4/fib_frontend.c:1085 fib_add_ifaddr+0x2d0/0x2f4 net/ipv4/fib_frontend.c:1129 fib_netdev_event+0x388/0x4a4 net/ipv4/fib_frontend.c:1466 notifier_call_chain+0xb8/0x188 kernel/notifier.c:83 raw_notifier_call_chain+0x2a/0x38 kernel/notifier.c:410 call_netdevice_notifiers_info+0x9e/0x10e net/core/dev.c:2075 call_netdevice_notifiers_extack net/core/dev.c:2087 [inline] call_netdevice_notifiers net/core/dev.c:2101 [inline] __dev_notify_flags+0xa6/0x17a net/core/dev.c:8728 dev_change_flags+0x9c/0xba net/core/dev.c:8764 do_setlink+0x4b2/0x222e net/core/rtnetlink.c:2708 __rtnl_newlink+0x87a/0xe5a net/core/rtnetlink.c:3376 rtnl_newlink+0x50/0x7c net/core/rtnetlink.c:3491 rtnetlink_rcv_msg+0x320/0x858 net/core/rtnetlink.c:5553 netlink_rcv_skb+0x9c/0x248 net/netlink/af_netlink.c:2502 rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:5571 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x38c/0x560 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x45c/0x890 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xa0/0xc4 net/socket.c:674 __sys_sendto+0x170/0x230 net/socket.c:1977 __do_sys_sendto net/socket.c:1989 [inline] sys_sendto+0x3e/0x52 net/socket.c:1985 ret_from_syscall+0x0/0x2 Second to last potentially related work creation: arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:145 stack_trace_save+0x4a/0x6a kernel/stacktrace.c:121 kasan_save_stack+0x26/0x5c mm/kasan/common.c:38 kasan_record_aux_stack+0xaa/0xe4 mm/kasan/generic.c:345 __call_rcu kernel/rcu/tree.c:3039 [inline] call_rcu+0x8c/0x4ac kernel/rcu/tree.c:3114 fib6_info_release include/net/ip6_fib.h:337 [inline] fib6_info_release include/net/ip6_fib.h:334 [inline] fib6_del_route net/ipv6/ip6_fib.c:1994 [inline] fib6_del+0xb5e/0xcf2 net/ipv6/ip6_fib.c:2027 fib6_clean_node+0x29a/0x354 net/ipv6/ip6_fib.c:2189 fib6_walk_continue+0x356/0x4e6 net/ipv6/ip6_fib.c:2111 fib6_walk+0xf4/0x1ce net/ipv6/ip6_fib.c:2159 fib6_clean_tree+0x70/0x9a net/ipv6/ip6_fib.c:2239 __fib6_clean_all+0xfc/0x262 net/ipv6/ip6_fib.c:2255 fib6_clean_all+0x2a/0x38 net/ipv6/ip6_fib.c:2266 rt6_sync_down_dev net/ipv6/route.c:4768 [inline] rt6_disable_ip+0x6f4/0x716 net/ipv6/route.c:4773 addrconf_ifdown.isra.0+0xa0/0xd7c net/ipv6/addrconf.c:3706 addrconf_notify+0x3be/0x18b8 net/ipv6/addrconf.c:3631 notifier_call_chain+0xb8/0x188 kernel/notifier.c:83 raw_notifier_call_chain+0x2a/0x38 kernel/notifier.c:410 call_netdevice_notifiers_info+0x9e/0x10e net/core/dev.c:2075 call_netdevice_notifiers_extack net/core/dev.c:2087 [inline] call_netdevice_notifiers net/core/dev.c:2101 [inline] dev_close_many+0x1d6/0x2c8 net/core/dev.c:1676 unregister_netdevice_many+0x2dc/0xf18 net/core/dev.c:10913 default_device_exit_batch+0x228/0x258 net/core/dev.c:11456 ops_exit_list+0xb2/0xcc net/core/net_namespace.c:178 cleanup_net+0x3ba/0x6a8 net/core/net_namespace.c:595 process_one_work+0x5b0/0xf3a kernel/workqueue.c:2275 worker_thread+0x350/0x87a kernel/workqueue.c:2421 kthread+0x234/0x298 kernel/kthread.c:292 ret_from_exception+0x0/0x14 The buggy address belongs to the object at ffffffe00a9ba400 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 200 bytes inside of 256-byte region [ffffffe00a9ba400, ffffffe00a9ba500) The buggy address belongs to the page: page:ffffffcf022aee80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8abba head:ffffffcf022aee80 order:1 compound_mapcount:0 flags: 0xffe000000010200(slab|head) raw: 0ffe000000010200 ffffffcf021afb80 0000000200000002 ffffffe005601b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3080, ts 1540696829800 arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:145 stack_trace_save+0x4a/0x6a kernel/stacktrace.c:121 create_dummy_stack mm/page_owner.c:64 [inline] register_dummy_stack+0x30/0x6a mm/page_owner.c:70 init_page_owner mm/page_owner.c:88 [inline] init_page_owner+0x6e/0x510 mm/page_owner.c:83 page last free stack trace: arch_stack_walk+0x2c/0x3c arch/riscv/kernel/stacktrace.c:145 stack_trace_save+0x4a/0x6a kernel/stacktrace.c:121 create_dummy_stack mm/page_owner.c:64 [inline] register_dummy_stack+0x30/0x6a mm/page_owner.c:70 init_page_owner mm/page_owner.c:88 [inline] init_page_owner+0x6e/0x510 mm/page_owner.c:83 Memory state around the buggy address: ffffffe00a9ba380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffe00a9ba400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffffffe00a9ba480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffffffe00a9ba500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffffe00a9ba580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================